Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

index

Muthu_Vinith
Path Finder
‎12-22-2023 01:36 AM

Hello Experts,

I'm facing challenge where I need to automatically load data from Python script results into a metric index in Splunk. Is it possible? I'd appreciate any guidance or examples how to achieve this?

Thanks

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-26-2023 09:49 AM

The "No results found" message is from a search so it would seem you were successful in uploading your script ("tried" implies failure).  Failure to data in a search does not mean the data did not get ingested.  So, let's unpack this problem.

First, confirm the script works in the Splunk environment by using this command

splunk cmd python <<your .py file>>

Once that works, verify the scripted input is configured properly and is not disabled.  Make a note of the index and sourcetype specified in the input.  Confirm the index exists on the indexers and that the sourcetype is defined in a props.conf file, also on the indexers.  The props.conf settings must ensure timestamps are correctly extracted from the data provided by the script.  Without a good timestamp, the data may be indexed, but be undiscoverable.

Wait for the script to run.  Then, using the noted index and sourcetype, search for the data.

index=foo sourcetype=bar earliest=-24h

 Please let us know which part of these steps fails.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-22-2023 06:29 AM

Data sent to a metrics index must be in a particular format.  See https://docs.splunk.com/Documentation/SplunkCloud/9.1.2308/Metrics/GetMetricsInOther for the specifics.

You should be able to set up the script as a scripted input that writes CSV data to stdout.  Splunk will index anything sent to stdout.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Muthu_Vinith
Path Finder
‎12-26-2023 12:06 AM

I tried to upload a  .py file for Data Inputs - Scripts in Splunk for searching, but i can't get results. My sourcetype is CSV. How can I fix this? @richgalloway 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-26-2023 07:25 AM

Give us more information to work with.  How did you try to upload the .py file?  To which instance did you upload it?  Where on that instance did you try to put  it?  What error did you get?

Scripts can be installed in $SPLUNK_HOME/etc/bin or $SPLUNK_HOME/etc/<app>/bin on any instance, but not in a cluster.  Use a heavy forwarder for the script if you have both search head and indexer clusters.  Once the script file is installed in the right place you can use the GUI to define an input to use that script.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Muthu_Vinith
Path Finder
‎12-26-2023 09:02 AM

I've tried both methods for installing scripts. However, I'm getting an error No Results found. But when I run the python file, I can get results and it download as excel file. @richgalloway 

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-26-2023 09:49 AM

The "No results found" message is from a search so it would seem you were successful in uploading your script ("tried" implies failure).  Failure to data in a search does not mean the data did not get ingested.  So, let's unpack this problem.

First, confirm the script works in the Splunk environment by using this command

splunk cmd python <<your .py file>>

Once that works, verify the scripted input is configured properly and is not disabled.  Make a note of the index and sourcetype specified in the input.  Confirm the index exists on the indexers and that the sourcetype is defined in a props.conf file, also on the indexers.  The props.conf settings must ensure timestamps are correctly extracted from the data provided by the script.  Without a good timestamp, the data may be indexed, but be undiscoverable.

Wait for the script to run.  Then, using the noted index and sourcetype, search for the data.

index=foo sourcetype=bar earliest=-24h

 Please let us know which part of these steps fails.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...